Building Security Champions

hi my name is tanya jenka and today i'm going to talk to you about building security champions we're going to talk about scaling your security team and your security program and basically how you can do you can do more with less as a security professional you are probably aware that you will never have enough money time and people to do every single thing that you want to make your to make your program the best it can be so let's talk about strategies to make this work for you so again we're going to talk about scaling so i don't mean scaling a fish we take off all the scales that's gross but i know fischer for sure people do it

but uh we're going to talk about growing your program so that it's bigger than you when we think about cloud computing often we'll think of scaling and how things can get bigger and bigger and bigger and that's what we're going to do with your security we're going to talk about what security champions are and how we want to build them up sometimes people they think security champions come out of nowhere and once in a while when we're lucky they do but most of the time we need to encourage that behavior and build them up train them teach them engage them etc so that we can have so we can turn them in from just a

regular technology employee to a champion of our cause which is security so we're going to follow a recipe that i've done a bunch of times and just that i've seen over and over work really well it's not easy but the investment that you get the return on your investment will be huge so we are going to follow this recipe throughout the entire talk so we're going to go back to each one of these sections so you don't need to memorize this so first we're going to recruit our champions we're going to engage them interest them attract them we're going to teach them teach them all the stuff we need them to know we are going to recognize them in front

of their peers in front of their boss we are going to reward them give them benefits for being a security champion and most importantly we are not going to stop stopping is the the number one error that i see in security champions programs can't stop so who the heck am i uh i am tanya janka also known as she hacks purple i'm the ceo of a canadian cyber security training company called we hack purple um i wrote a book and it went best seller and i'm so grateful it is called alice and bob learn application security i've worked in tech a long time it says 20 plus i'm almost at 25. um i have founded a bunch of

like non-profit things to help people learn about security i build things i really like breaking them and then fixing them i podcast i stream i am alert a nerd at large on the internet and that's like the main stuff you probably need to know about me so hopefully you're like she seems qualified i'm willing to sit through this awesome let's go oh yeah that's about me okay so the problem there are not enough application security professionals to do all the work that we need doing i read a study yesterday and there are now 3.5 million jobs around the world in the cyber security industry with no qualified person to do them this stinks and because of that

that means a lot of work is not getting done and so what i am proposing so this is the problem you probably know the problem and feel that pain acutely so let's talk about solutions so i want to scale your team and your program so it can go you can go further with less so we know there aren't enough and we want to find ways to make our efforts stretch way further than they could on our own so my main proposal is security champions there's a bunch of other ways that you can actually scale your team etc but this is the best one and i'm only allowed giving one talk at this conference so security champions

so that is the member of a team that takes the responsibility of acting as the primary advocate for security within that team acting as the first line of defense or the first person to give information or the first person to act within that team when it has to do with security so that's the formal definition that you'll find floating around the internet but my definition it is the person who's the most excited about security the person on the team who wants to read the book fix the bugs asks the security questions shows up to your lunch and learns every single time that is your champion and you want to find those people and encourage them as much as you can

okay so what is a champion right so they're your communicator they deliver security messages um for each dev team they teach share and help they're your point of contact so they deliver messages to the security team they keep you up to date on what matters to your team they are your advocate so they perform security work for their dev team with your help but they also advocate on behalf of security and they help give you information so you can advocate on behalf of the devs they kind of meet you halfway and let you know what's going on and make sure that your message you know to continue making apps that are secure gets heard i'm going to talk a lot about software

because that is my specialty but security champions can work with all sorts of areas like you can have security champions on your project management team you can have security champions in your executive i certainly hope you do okay so let's build security champion so again this is our recipe recruit engage teach recognize reward and do not stop yes okay so let's go through the recipe so we're going to start with recruit so recruiting champions right so i'm playing like the big muscle emoticon because i like to think of them as champions as like they're tough and they're strong okay so the first most important rule when trying to recruit people to be your champion don't volunteer them to be a security

champion you want to attract the right people instead if you tell the managers yeah everyone uh one of your team members has to be a champion like tell me tomorrow who they are that you're probably gonna get the dev that they think stinks not the really good dev you're probably gonna get a person that is in trouble or was late to the meeting rather than the person that actually has been studying cyber security on their own you really want to help themself identify whenever possible and the number two rule is ensure the managers are on board they have to give them time to work on this work if the manager is like i don't want you

doing that i have work for you that's more important then you're making the person be torn in between the person that pays them and your team and that's that's not a good place to put anyone so it's really important that the management team supports this and is on board so let's talk about recruiting okay so first of all you want to ask for volunteers instead of appointing people without consent you know sometimes people say oh you know like i just do the thing and then i beg for forgiveness later i don't like that approach i prefer consent and like people knowing what's going on because you get better long-term results it's important to provide opportunities

for them to reveal themselves so opportunities can include like you can add to your email signature that you're looking i know that sounds ridiculous but it so works you can use lunch and learns or training sessions anyone that attends all of your events or is always asking questions that's probably a potential champion if you can use really interesting titles like subjects for your emails or for when you do a lunch and learn event things like that you want to attract them and you need to remember that with the stuff that you do and the last thing is is that you really want to have a mantra like as a security team in general like it's my job to serve you it's my job to

help you do your job securely and when you have this mantra and attitude instead of you have to jump through these security hoops or you can't go to prod you'll get better results people will be more interested and recruitment will be a lot better places where i've worked where the security team has adopted that mantra or that idea ideology of it's my it's our job to serve you you're our customer um i've seen huge huge huge positive results okay so we've recruited some people we have an idea how do we engage them get them interested okay so we want to engage them and i don't mean i let me tell you what i mean so we want

to occupy attract and involve them in security stuff and we want to participate or become involved with them right so we want to engage with them and make them feel engaged with security so what does that mean you could bring them on a security incident if you got permission especially if it has something to do with stuff they work on that will be highly educational and interesting share secrets when it's appropriate i have deputized lots of teens before i've told them like listen this is need to know you can't tell anyone outside this room but let me tell you what happened last week it can make people feel special it can be intriguing very interesting that's how i got hooked i

mean really let them see everything first let them see new tools let them see changes let them see information like whatever is upcoming tell them first so they have the inside scoop create a mailing list to tell everyone new stuff about security like they can it sounds so silly but like you only need 20 people on your mailing list if they're all engaged so you want to meet with them at least once every month and have a have a list of questions every time so that you're ready to ask them about stuff so stuff that i would ask so what are you working on what are you going to be working on do you have any problems do you have any

questions how can i help and be surprised the things they're gonna tell you um you should brace yourself for bad news so you can like play it cool i have not always been able to play it really cool when i have gotten news from my security champions about what has been going on in my organization if they're like yeah so there's this thing and i'm not sure if it's a thing but i kind of want to tell you it's probably going to be really bad and you want to brace yourself for that if you can do team building events so that the security champions can all know each other that's really really cool like a

tabletop exercise is a really good way to have team building or even just invite them all for coffee and introduce each other once kovid has made that a safe possibility again invite them to join security communities there is an oauth chapter in my city and in the previous city where i used to live and i would invite people from my teams to go and then if they wanted to go we would usually just walk over from work together and they wouldn't go all the time but they would go sometimes and each time they'd learn tons of important stuff and so that's awesome and it got them more interested and that is those are a lot of the ways

i got some champions so now we want to teach them stuff what should we teach our champions so this is this i feel it sounds simple but it's hard so the first advice i want to give you is only teach them what they need to know don't teach them piles of crap i once worked somewhere and my job like was to do apsec but also to train all the devs and so they they'd hired this really high-paid fancy consultant the year before and he had made this training for the devs and she's like yeah like do you want to deliver this training and i threw like three quarters of it in the garbage because there was like a whole day on

you know symmetric versus asymmetric encryption and i said like why do the depths need to know this and like the history of diffie-hellman i'm like do we want them to be bored to tears is this a punishment that we're putting them through why are we teaching them tons of crap that they don't need to know to do their jobs devs already have enough on their mind every person in it like we're busy so you want to teach them what you need expect and want from them as your security champions that's what you want them to know so let me get a bit more into that because i am like a security teacher professor trainer person

so like yeah i'm gonna give you a lot of stuff okay so if you are in my shoes where you're trying to make security champions that are software developers and you know those that revolve around them i want to teach them secure coding and security architecture yes that is super important i want all my i want all the devs to know that but i especially need my champions to really know it i want them to know all the policies of the place i work that's super duper important if we don't if they don't know the policies then they can't tell us when there's screw ups and people aren't following the policies you want to teach them policies in the

most interesting way you can you don't want to bore them to tears do your best not every policy is fun tooling so you want to teach them the tools that they're going to be using so i'm going to dig into each one of these in the following slides because honestly this is the question i get asked the most about what to do with their security champions and so they're like what do we teach them i'm like teach them this okay so security secure coding and security architecture so if you can give them formal training that's awesome if there can be labs or some sort of hands-on especially code review i really really want my champions to be able to review

every single poll request or code check in to see if it's following our secure coding guideline so important if possible i want to teach them threat modeling i really want them to know threat modeling um they might not lead the threat modeling most the time but they will find all sorts of threats it so threat modeling is like a habit once you learn how to do it you just can't stop security architecture so i want them to be able to whiteboard out an app with their team and then ask really simple questions like is there encryption between there and there how are you authenticating and authorizing once you get there are you oh you're not um

that doesn't seem very good if they can just do the simplest parts of security architecture they can help you scale your program so much because there's just not enough time in the day for me or whoever the full-time abstech person is to do a security architecture review on every single app you have code review i know code review might not be a sexy topic for every person but i really need my champions to be able to spot at least the big three they must be able to spot every time if there's not input validation or if the input validation looks incorrect there needs to be output in coding and they need to be using parameterized queries if they're talking

to a database and like if you could just review for those three things life will be so so much better um how to fix the bugs that they find so if they're doing code review are they able to fix the code or suggest a fix to the dev that they found it in um how to fix bugs that the pen tester finds etc like you want them to be able to look at a report and not think what does this mean and you want to repeat this training yearly because things change and because quite frankly devs have so many responsibilities and so many things they need to know like refreshing them will get you better results

okay so more your policies right if no one's going to follow your policies if they don't know what they are and your champions really need to know them so which policy standards and guidelines actually apply to them help them create guidelines that don't exist so if there is no secure coding guideline help them make one if there's no just guidelines for anything like how to use a security tool on the network what bugs need to be fixed and which bugs can wait 30 days etc teach them how to be compliant with these policies and help them get there you might have to create a project schedule with them to help them become compliant you don't want to just run around and

hit people with a policy stick you want them to meet the policy you want them to be compliant not so that they're obedient and good employees but because then your organization is more secure it is my opinion you absolutely must teach them what their role is during a security incident i have had too many security incident situations where another staff member did not know what they should and should not be doing where they they messed up my incident pretty bad and so it's really important that they know what their their duty and role is what you need from them um a way of teaching is job shadowing and like i know that this is topics and

this is like a way um but like that is just a really good way to teach them so if you have to do a whole bunch of code review like inviting one of your champions to do it with you so that they can learn it's a really good way to teach and if you're not used to teaching like this can be like a less uncomfortable less like you don't have to prepare as much sort of way to teach i also believe that for policies you should hold consultations before you put them live and into place and ask them for their input because these policies are going to affect them and they know their jobs better than you do and

so you should definitely check with them to make sure well do the best you absolutely can how about that okay so tooling i want them to know all the tools that i expect them to interact with or use as part of their job so custom training on the absec tools or whatever the security tools are that you have them use they need to understand what the output means that might seem so obvious we'll just go to your favorite search engine and look it up no no it doesn't always work that way you really want to if there are things that come up commonly you want to go over it with them so they feel comfortable you want to help them

validate the results of these tools because you probably don't have time to validate every single thing every time so you want to train your champions how to do that and then to just come to you when they're stuck you might be training them how to install and configure the tools so for instance i i worked at a place and every team had their own pipeline to release code and so they wanted to just make them all struggle and figure out how to install the tool themselves reinventing the wheel every time i'm no so we made one demo pipeline we showed them all we're like just copy this yaml into your pipeline like this and then

tell us if you have any problems running it um help them select the best tools this is really important when there are new technologies being selected for where you work you want to be a part of this helping to teach your champions to put forth like oh but how secure is that tool that will make your life easier in the future um some ways that you can teach them are lunch and learns or hackathons where you could teach a whole bunch of champions together but basically like everything you can about the tools you expect them to use you want to train them so i know that i'm going into the style of teaching again even though we're in the topic section

or the teaching section but this is like a way of teaching and just isn't a separate part i'm kind of including that in this part of the recipe so um so coaching yes the kitty as a lifesaver um so i believe that coaching is a really good way to get the things that you want so let me briefly explain what i mean so it means enabling individuals or teams to reach their maximum potential so you want to facilitate how they learn you want to figure out what their motivations are and then assist them in making change so you want to change these just plain old regular software developers into security champions devs that understand security

devs that take it seriously that advocate for it and so if we want them to start practicing a secure system development life cycle we need to support them and coach them to get there and if we want our security champions constantly evangelizing our cods and advocating for us we need to reinforce those values and that means regular touch points and that's coaching so back to the kitty with the lightsaber so for champions set up office hours make yourself available i know right now with kova people are like how do you do office hours simple you share um a meeting invite with everyone and just you know every friday from two to four you just have a zoom thing

open and if someone shows up then you talk to them and otherwise you just clear your inbox or do whatever other task it is that you need to do like people won't show up every time but when they do they really want to talk to you set up repeat meetings with all your champions to meet with them once a month if they need to reschedule it's okay but don't let them miss for more than one month in a row help them prioritize their activities or their bugs because sometimes they just need a fresh look at things be as available as you possibly can i know that you have a job you have work to do

you're a busy person i get it i know but the more available you can be for your champions the more engaged they will be in the better job they can do for you help them set goals and then help them achieve those goals there is nothing that makes someone more motivated than smashing some goals and setting new ones this will get more engagement for you in the long term teach them specific skills or tools especially if there are ones they ask for so you might have some where they really want to learn dynamic scanning they really want to learn um you know ethical hacking let's say but other ones might really want to learn about

security architecture about code review encourage them on the things they want to learn and lastly ask them what they need and provide it whenever you can this is super important that's it this goes for every employee that you that you manage okay so special note on delegation so there are some things that should not be the responsible responsibility of the appsec team so i know you probably know how to do these things as a security professional but you need to delegate these so you want to delegate fixing bugs you should not be staying around fixing all the security bugs i know it's tempting you're like i could do this better and faster yeah but it'll never scale updating

frameworks you get frustrated you're like can't you just upgrade it i'll do it no don't do it because then you'll always have to do it um planning releases or upgrades assigning who fixes what bug running every single scan implementing or tuning every single tool writing security unit tests the list is endless but if you can teach them a thing you see them doing it delegate it this is part of you scaling your program and delegating to your champions is a safe move if you have trained them and they accept the responsibility things to not delegate so do not delegate these things validating sas results so static application security testing tools the results are complex unless you've given your security

champions a lot of training and you work very closely with them whenever i have seen i have seen so many times security teams are like oh the devs will just validate this and then no one uses the tool and the tool just rots even though it has very valuable data in it so definitely only do this if they are comfortable i'm giving the security teams approval on technologies or anything else no one can give the security teams approval except the security team and that's you using new tools unless without being trained they must be trained before they use any security tool on your network training new champions they can hang out with them they can co

show them cool tips and tricks but it is your job to onboard new champions we are looking for partnership and assistance we are not looking for replacements for our team members um so i've seen people where they go way one way or way the other way and you want to try to walk down the middle of this line between delegating what the champions are comfortable with and not delegating your power or authority or things that they might not be comfortable doing a good job of recognize it is important to recognize your champions we want them to know they are doing a good job and we do not want them to feel like they are trying really hard doing two

jobs but for some reason only one paycheck arrives we don't want them to feel like this so we recognize them so that they know that we see i i've had people say oh like this is lame people don't care they really care trust me they really care adults respond people like that's for children no adults also want positive reinforcement they want to know that their boss knows they did a great job they want their peers to know that they work really hard it's normal um so we want to recognize them so a thing you can do is put a certificate on their wall that says they're a security champion i i've seen it time and again and people

are just like really yes yes people really like it and they respond well recognize them whenever you can in front of their peers so this could mean giving them a special virtual background that says i'm security champion there could be a star on their name uh in your like internal chat so if you use slack or teams or whatever having a little star and you're like that's the yeah that's the deputization star of the security champion um you can oh you should definitely make sure to put a note in their performance review so say all the good things they did be specific give examples i want their manager to know that they did a great

job and i want them to know that their manager knows and that there's a permanent note in their file of how much effort they've been putting into this and how much they've been succeeding at it how much value they've been giving their organization recognition when you recognize your employees or a team of volunteers they will be so much more loyal they will work harder for you because they feel valued and also just they're human beings and we should make them feel valued we just should okay so tell their boss every time they do something specifically awesome so if they do a great big thing or you know like they stay over the weekend and fix a whole bunch of bugs that were

really important or update a framework that was like really upsetting you tell their boss and let them know send them an email and tell them that you saw you want them to know that you noticed that they are working hard and that their work matters and then make their role on the team clear to their peers it's really important that their peers understand like that they have some sort of authority that they should be listening to them um and it also it just it feels good to be recognized in front of your peers what can i say i told i totally live for positive reinforcement that that and sugar um so the world's most interesting man

doesn't always think about security but when he does it's usually too late okay so reward we want to reward them for their amazing work so we want to reinforce good behavior with rewards instead of punishing bad behavior it's a lot more likely that you will you'll have your champions like you if you do that so anything you can think of reward them if you can so if you are allowed to buy things if you have a budget so you could buy them security book you know send them security videos send them on security training send them on a ctf like any sort of gifts that you can give them give them your time and attention that

is a reward i kid you not help them with more than just security i was a dev forever i can still fix whatever type of bug people need and so if a security champion is coming to me and they're like oh yeah and there's this other problem like tell me i will help you i want to help them with everything so that they trust me with security let them see new things first like i said i give them a sneak peek whenever possible let them help you make decisions take their opinions seriously listen to them anything you can think of that will make them feel rewarded i i know it sounds maybe a bit weird but

i've baked cookies a ton of times and it's yeah going around just being like i brought you some cookies as a gift because i want to say thank you because you're awesome and just the effort of baking the cookies shows how much i value them and you don't have to learn how to bake or anything i just happen to like it okay so the last one is please don't stop so when in doubt over communicate if you do not communicate regularly your program it will disappear it'll disappear quickly it'll disappear before you've even realized it i have seen so many places so so many places where they did this huge big kickstarter and they're working out for lunch and learn

every week we're gonna do this we're gonna and then after six weeks they just stop cause they're exhausted it's much better to do a steady slower roll out that is consistent then a huge burst and then disappear so don't let it slip consistency is the absolute most important part of every security champion program even if you meet with them only once a month just to check in for 15 minutes that is you having it continue some champions will need more of your time than others and some some will be duds some of them will do the absolute bare minimum and they won't seem enthusiastic and they're not that great but they are way better than nothing which is what you

had before and so measure your time accordingly if you have accidentally dropped your program you need to pick it back up as soon as possible you do not need to have a perfect lunch and learn presentation you do not need to hire an amazing external professional speaker to come speak to them every time just you saying hey we bought a new tool and i kind of want to show it off anyone want to come p.s i have donuts you'd be surprised how well that works culture is a practice it must be repeated over and over and over again who you are who your organization wants to be the culture within your organization is something that you must reinforce

constantly for it to continue to exist and it will fall apart faster than you think so please be consistent and that is where you will get your huge value from these efforts so we did it we did it we've recruited engaged we've taught them we've recognized them we've rewarded them and we are not going to stop so conclusion what we learned so we learned how to attract the right people to your program we learned about what to teach them we learned how to engage them and turn them into our security advocates we we talked about what we should delegate what we should not delegate we talked about how to motivate our champions and basically just how to build a

completely kick-ass program that's what we talked about and i think that well i'm going to give you a few resources but i think you're well on your way okay so oh yes and our recipe because i wanted to repeat it for the five thousandth time on the slide okay so resources so let's give you some things to start with so these are my favorite books yes i did write one of them and obviously that's the best one ever um but you can't do security right if you are not doing it right and so i believe devops is the way if you're doing waterfall that's okay but reading these books can really help you learn how to modernize your waterfall or your

agile processes that you're doing automating some parts of it you'll have more consistent results and then my book alice and bob learn application security it is from start to end how to create a program what each thing means secure coding it is uh everything that was in my brain at that point and i am excited to offer that to the world i have a podcast um it's called the weehack purple podcast it's on all the different platforms but basically it the first season is all about how to get into information security the different types of jobs that exist i interview a guest every week about you know their career progression what it's like to do their job does their job pay well

are there a lot of job opportunities how hard is it to get that job what's the best part what's the worst part but season two will be starting in october and it is going to be teach me something security and we are going to teach two to three concepts or specific skills in each episode because quite frankly i want to learn for free and i know a lot of cool people that can be guests and teach me stuff resource is me um i actually i just moved my blog so it's now at wehackpurple.com and then you just press like the blog button we just put it up last night which is why this is not here so we have

purple.com and i just like click on the blog so i'm like moving all my blog posts over there but i have a youtube channel um alice and bob learn we have monthly free discussions where i invite a bunch of experts on and we talk about the book and answer questions and stuff i have a newsletter i tweet on twitter i'm a giant nerd i really like talking about this stuff and then lastly i want to wish you a wonderful life spending your time doing strange things with weird people because in my opinion that's a wonderful way to live so thank you so very much for coming to my talk i hope you all go out and build

many many many security champions and a completely awesome security champions program i'm tanya janka and thank you for coming to my besides talk